Why Cybersecurity Matters to Startups And Small Businesses?

There are two kinds of companies in the world; those that know they have been hacked and those that don’t. The quote best exemplifies the truth in cybersecurity. No industry, sector or country is quarantined against a cyber attack. Every company, be it a technology giant or a small business, has vulnerabilities that could be exploited by the hackers. It is a well acknowledged fact that the hackers have equal if not better resources that are at par with security professionals. So, the threat is real. But, the main reason behind a firm getting hacked is not the existence of the hazard, the hackers, but the vulnerability which is the indifference shown to cybersecurity by the company management. The same false consciousness is found in the entrepreneurs running small businesses and start-ups. Ask them and they shoot, “Why me? We are not a financial services company or we are too small for a hacker to target”.

Had it been the case, start-ups like Ola, and Zomato would not have been hacked in the first place. The hacker who gained unauthorized access into Ola network was puzzled to see so many vulnerabilities. He could easily watch, trace and connect all API calls. To prove, he exploited this flaw and recharged his Ola account for free. 

The apathy against cybersecurity does not end here. There is a natural tendency of complacency shown towards cyber security. Small business and start-ups do not consider security as a priority which is a dangerous trend. With India emerging as an economic hotspot on global map and the government’s move towards demonetization, the online flow of cash is slated to increase. A cash based economy is transforming into a cashless economy. As more transactions occur through net banking, e-wallets, debit and credit cards, the hackers are bound to get attracted towards India. The ATM card fiasco in October 2016 is just a recent example. As per the Internet Security Threat Report 2016, published by Symantec, 43% of the spearphishing attacks were targeted against small businesses. There are prudent and pragmatic reasons why small businesses and start-ups in India face an imminent cyber threat.

Threat Landscape for Small Businesses and Start-ups

Firstly, the start-ups have a treasure trove of information that hackers would love to exploit. Some companies have cache of customer information including the credit and debit card details in their early stage. Such information is a goldmine for the hackers who would want to conduct the financial fraud. Additionally, hackers are also interested in stealing innovative ideas and intellectual property that start-ups have. Bad actors also use start-up’s technology infrastructure to get in large corporations’ network. This is because many start-ups and small businesses act as third party vendors to large firms and provide ancillary services. The 2013 U.S credit card breach that occurred at Target happened due to the vulnerabilities in the network of a third-party vendor. The hackers accessed the internal networks of the Target by stealing the network credentials from the third-party vendor Fazio Mechanical that was given the contract for HVAC services. Once the hackers entered Target’s network, they uploaded malware to cash registers within Target stores. The malware gradually spread to most of the Target’s point of sale devices that ultimately led to the theft of as many as 40 million credit card details.

Secondly, threat actors are continuously at work. This inadvertently means that a start-ups website, network, server etc. can be hacked any moment. According to a research conducted by Trend Micro, every second 3.5 new cyber threats occur. This poses an increased risk to the start-ups. That is so because, bigger companies have improved their security systems while small businesses with poor to zero security are sitting ducks for the hackers. 

Thirdly, the growth in the use of mobile apps, web apps and big data have increased attack surfaces. Most of the small businesses and start-ups in service sector, deliver their products and services through mobile apps and web platforms. Thus, protecting them should be higher priority but no attention is paid by busy entrepreneurs, who don’t see information security as one of the business priorities. 

Fourthly, small businesses and start-ups are now moving to the cloud because the cloud services are less expensive. However, the hackers know this and that’s why threats targeting cloud are now increasing daily. A report by Intel Security titled “McAfee Labs 2017 Threats Predictions Report” highlights that in the upcoming year 2017, cloud threats would increase significantly thereby increasing the risk for the start-ups and small businesses. 

Last but not the least, not only these companies are at a major risk of data breach but their employees especially from the top management are at the radar of hackers. An interesting case that best explains this is the hack of the Twitter account of Hootsuite’s CEO by the hacker group OurMine. The hackers gained access to his Twitter account using a side-door. The victim had enabled Foursquare app to access his Twitter account, a process known as “App Authing”. The Foursquare network was hacked and some accounts were compromised including the credentials of the victim. The hackers used these credentials to enter his Twitter account and started Tweeting from it. Hacking the personal account of CEOs serves a lot of purposes for the hackers. Not only it gives them access to sensitive information that only senior management would know but it also gives them limelight which they relentlessly seek.

Mitigation Measures

It is now well recognized that employees are the biggest cyber threats. They are the extended endpoints and most of the attacks nowadays are not targeted against the vulnerabilities in the system but against the lack of awareness in the employees. Therefore, small businesses and start-ups need to enforce strict internal security policies and guidelines to ensure their information is protected.

Develop a proper cyber security culture: The employees should be trained in security principles. They should be able to differentiate phishing emails from authentic ones. Every firm should build a security culture based on best practices and policies such as strong passwords, and internet usage guidelines. The employees should not use unprotected networks to log in to company server. Neither they should install any unsigned third-party apps on their smartphones if they use that for official work.

Define the rules for handling Customer data: 

The rules for handling sensitive customer data should be drafted and put into strict practice. Appropriate penalties should be given for any violation of the rules.

Implement an Incident reporting mechanism: 

A proper incident reporting mechanism needs to be adopted and integrated by the small enterprises. This would ensure that all attacks and incidents are reported to the operations security team and requisite security measures are proactively undertaken to prevent any breach.

Make security a habit: Security measures like 2-factor authentication, regular software upgrades, firewall protection should be made a habit and not a task.

Restrict employee access to data:

 Employee access to data and information should be limited. Their authority to install and uninstall software without permission should also be restricted.

Create mobile device action plan: The use of smartphones has penetrated every aspect of our life. Most of the employees use their smartphones for official work and these devices can create significant security challenges as they contain sensitive corporate information. A mobile device action plan mandating the employees to encrypt their data, use strong passwords in their devices, install security apps, limit activity over public Wi-Fi should be implemented.

Keep a backup of sensitive data: 

This security measure is a “sine qua non” for any enterprise that is serious about protecting its data from threat actors. A data backup will also help if ransomware affects the company server and system.

Create a Threat Intelligence Platform: 

A threat intelligence platform is one of the best security measure that small businesses can undertake. This is essential not only from the security perspective but also costs. A centralised threat intelligence platform for number of firms would mean economies of scale and therefore reduced costs.

Lead by example: The cyber security issue needs to reach founders’ mailbox and not left behind with the technology teams. Unless, the founders don’t show the way, it is difficult for employees to follow. 

Conclusion

It is beyond any doubts that small businesses and start-ups need to improve their cyber security system in India. In fact, the start-ups have a mutually reinforcing virtuous cycle with cyber security. A good cyber security means low chances of breaches, and that means sustained customer faith, improved credibility, and brand value. However, if the same is ignored, the relationship can also turn into a mutually reinforcing vicious cycle in which a cyber attack leading to disclosure of sensitive customer information can cause brand deterioration, credibility erosion and emaciated customer faith. 

Google’s ‘Open YOLO’ project aims to make managing passwords easier

Search giant Google is working with Dashlane and other password manager firms on an open API named 'Open YOLO'. Short for You Only Login Once, the Open YOLO project is aimed at making it simpler for users to manage passwords with Android apps .

The company wants to help Android users by providing them with a hassle free login process. With Open YOLO, users will just have to link their favourite password manager to their Android device having the apps. The apps will then start pulling the password details automatically.

Dashlane, in an official blog post said, "Dashlane and Google , along with other leading password managers are collaboratively developing 'Open YOLO' (You Only Login Once) - an open API for App Developers that will give Android apps the ability to access passwords stored in your favourite password manager, and effortlessly and securely log you into those applications."
The company further added, "Dashlane is spearheading the collaboration with other top password management companies, who will contribute their unique security and software development expertise to improve the design and implementation of this open API."

The project is the first big step towards making security simple and accessible for every user, on every device. In future, Google plans to see Open YOLO API going beyond just Android devices, and becoming universally-implemented by apps and password managers across every platform and operating system.


Copy From - http://timesofindia.indiatimes.com/tech/tech-news/Googles-Open-YOLO-project-aims-to-make-managing-passwords-easier/articleshow/53603728.cms

ASP.NET Application Optimization Tips

The application server or load-balanced servers might enhance Web application performance; however, there are ways to enhance performance on the developer side as well. By following certain optimization techniques while you are writing your application code, you can also reduce a lot of performance issues. It is essential to understand which parts of your code can be optimized, and how you can measure improvements in performance compared to a baseline.

• Use the connection pooling so that the connections can be re-used when future requests to the database are required.
• Dispose of objects properly from the caller method than in the called method.
• Reduce page load times by techniques such as minimizing the scripts. Use script file references in pages to enable the client to cache these scripts for subsequent requests.
• Remove white spaces and extra tags to dramatically reduce the size of your pages. Limit the use of graphics and consider using compressed graphics.
• Consider using cascading style sheets to avoid sending the same formatting directives to the client repeatedly.
• Control names should be short because they generate unique HTMLID names. If a control is used inside nested controls, a 10-character control name can easily turn into 30 to 40 characters.
• Use Page.IsPostBack to minimize redundant processing.
• Use for each loop in place of a for loop if possible.
• You should avoid using ViewState to facilitate faster page loads. Remove the runat="server" form tag from your Web page if you don't need to use ViewState to save bytes of the page size. Enabling its ViewState would incur, for every byte that is added, becoming two bytes due to network traffic that is from the server to the client and the other from the client to the server.
• Cache the Web pages or portion of the Web pages if the page is large. Use data caching for boosting the application performance instead of fetching data from a file or database.
• As the datasets store data in memory, write efficient SQL queries or procedures that fetch only the information needed. Analyze the WHERE clause in your queries and be specific to ensure that the needed number of rows and columns are returned and take the advantage of indexes while writing queries.
• Consider Using Server.Transfer instead of Response.Redirect because Response.Redirect sends a metatag to the client that makes the client send a new request to the server by using the new URL. Server.Transfer avoids this re-direction by making a server-side call.
• Avoid using Page.DataBind. Instead, call data bind on specific controls because the page-level method in turn calls the DataBind method of every control on the page that supports data binding.
• Minimize calls to DataBinder.Eval because this method uses reflection to evaluate the arguments that are passed in and to return the results. For example, if a page has a table with 50 rows and 10 columns, DataBinder.Eval will be called 500 times if you use DataBinder.Eval on each column. Instead, using explicit casting offers better performance by avoiding the cost of reflection. Cast the Container.DataItem as a DataRowView, as shown in the following code snippet.

• Use SqlDataReader to visit the read-only data instead of DataSet.
• Although you can return multiple result sets by using dynamic SQL, it is preferable to use stored procedures to get multiple result sets.
• Using gzip compression can decrease the number of bytes sent by the server. This gives the perception of faster page loads and also cuts down on bandwidth usage.
• If you got a bunch of .NET Web services running in one IIS Application and consumed by another IIS application, the first call to Web services, in many cases, can be pretty slow, about 5 to 10 seconds or more sometimes; subsequent calls will be in milliseconds. To speed up the initial call, you can create the XmlSerializers DLL at compile time.
  
  
  

  Conclusion

  In my previous article, "ASP.NET Performance Improvements and VS2015 Profiler," I showed how you can use the Visual Studio 2015 diagnostic tools that integrate application profiling with the debugging so that you can observe the CPU usage, memory usage, HTML UI responsiveness, thread activity timeline, and profiler for performance. By using what I presented in that article along with the optimization tips you've learned here, you have the tools for writing high quality code where you can catch and fix performance and other issues in development as well as after deployment.
  
  
  Copy From http://www.codeguru.com/csharp/.net/net_asp/asp.net-application-optimization-tips.html